19:00:39 <GeKo> #startmeeting tor browser sandboxing 11/30 19:00:39 <MeetBot> Meeting started Fri Nov 30 19:00:39 2018 UTC. The chair is GeKo. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:00:39 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 19:00:45 <GeKo> hello everyone! 19:01:05 <sysrqb> hi! i'm going afk now for another 2 min 19:01:11 <GeKo> we thought it would be a good idea to do a sync before mozilla all hands about our sandboxing plans 19:01:14 <sysrqb> anyone else here? :) 19:01:27 <GeKo> probably tjr 19:01:28 <tjr> I'm here. Do we have a pad? I have notes to paste somewhere :) 19:01:34 <GeKo> not yet 19:01:40 <GeKo> let me create one 19:02:16 <mcs> I’m here too. 19:03:01 <GeKo> https://pad.riseup.net/p/tor-browser-sandboxing-11-30 19:03:36 <sysrqb> okay, bad timing. here now. 19:03:39 <GeKo> okay back to the topic while we wait for sysrqb 19:03:39 <sysrqb> woo people :) 19:03:50 <GeKo> ah, you are back, good 19:03:59 <GeKo> let me just put some resources in this chat 19:04:27 <GeKo> https://lists.torproject.org/pipermail/tbb-dev/2018-July/000893.html is the mail summarizing our last meeting (which feels like ages ago) 19:04:52 <GeKo> it (and the following discussion) outlined some possible ways forward on *all* of our platforms 19:04:58 <GeKo> (from a birds-eye-view) 19:05:19 <GeKo> then https://bugzilla.mozilla.org/show_bug.cgi?id=1510416 might be interesting for the near future 19:05:46 <GeKo> gps and other mozilla folks have added some ideas in this bug 19:06:01 <GeKo> which might be worth thinking about and aligning with what we want to do 19:06:13 <GeKo> that said, sysrqb you have the stage 19:06:32 <tjr> 1510416 is solely about how firefox gets built; which is not very relevant for tor, i don't think, since it already gets built in a vm 19:06:58 <GeKo> ah, okay, then i misread that one 19:06:59 <tjr> (I don't know if there are known vm escapes you're concerned about though) 19:07:10 <sysrqb> that sounds like tor-browse- build? 19:07:20 <GeKo> yeah, if so this is orthogonal, then though 19:07:22 <GeKo> yes 19:09:00 <sysrqb> i was also cc'd on a bug for multi-process firefox on android...but i'm still looking for that link 19:09:59 <sysrqb> i think? or maybe i imagined it 19:10:03 <sysrqb> in any case 19:11:26 <sysrqb> so in the thread from july, tjr had good input on the sandboxing model sandboxed tor browser used 19:11:50 <sysrqb> i see we now have notes on the pad 19:13:40 <tjr> Yea, that's just what I brought to the meeting for discussion 19:16:29 <GeKo> tjr: is that stuff mozilla would be interested in helping with/doing? 19:17:11 <GeKo> or would it be useful to mark those items? 19:17:53 <GeKo> because it might get us some cheap progress while working on the harder topics 19:18:23 <tjr> Probably not.... 19:18:38 <GeKo> okay, fair enough 19:18:53 <tjr> While haik I bet would help POC the little thing; I think the larger things would probably fall to Ethan's team to either develop ot uplift if Tor wrote them. 19:19:11 <tjr> And I think there are enough 'Oh poop we need to work on this for the next ESR' topics to keep Ethan's team busy until then. 19:19:24 <GeKo> yep, agreed 19:19:29 <tjr> (Specifically: rust, extensions, fingerprinting uplift) 19:19:31 <sysrqb> Necko is still in the parent process, correcct? 19:19:50 <tjr> Necko is in the parent process for ESR 60; but for the next ESR it will be in it's own process *I think*. 19:20:07 <tjr> I'm not sure of it's roadmap, it might slip? Or might not be on all platforms? But it's being worked on currently. 19:20:07 <sysrqb> okay, that's promsing 19:20:07 <GeKo> hopefully, yes 19:20:20 <tjr> That said, I'm not sure how much that gets us in the short term. 19:20:35 <tjr> Windows, there's complicated disabling network access. Mac's content process is already restricted. 19:20:42 <tjr> Linux... I dunnoe. 19:20:51 <tjr> s/complicated/complications/ 19:21:27 <sysrqb> right, only as much as exploiting necko directly is possible 19:22:02 <sysrqb> that would be one fewer components in the parent process 19:23:25 <sysrqb> so, it seems like we mostly agree the least-effort in this area is getting sandboxd tor browser working with Tor Browser 8/8.5, correct? 19:23:43 <sysrqb> plus improving the various UX issues 19:24:12 <GeKo> yes, def least effort 19:24:21 <sysrqb> on the other platforms, improving on the work Mozilla are doing in this area seems like the way we are going? 19:24:22 <GeKo> i like tom's general opinion of sandboxing 19:25:02 <GeKo> one of the tricky things we have to decide is how to allocate our constrained resources here 19:25:32 <sysrqb> yeah 19:25:36 <GeKo> (assuming we like it) 19:26:21 <ahf> 14 19:26:35 <GeKo> so, my idea for the hard parts of the sandboxing work (parent process sandboxing) was to write something up to get funding for it 19:26:45 <GeKo> and hire someone helping us here 19:26:50 <mcs> I also like tjr’s “general opinion of sandboxing.” It seems like it will add security in the medium term without requiring us to hire a new team of engineers (maybe). 19:27:08 <GeKo> especially now that we lost arthur and are busy finding someone else to replace him 19:27:27 <GeKo> but the things to do did not get less 19:27:48 <GeKo> mcs: yes. 19:28:42 <sysrqb> ~.~. 19:29:18 <GeKo> ? 19:29:37 <GeKo> (what's ~.~.?) 19:30:02 <tjr> Squinty Eyes I think :) 19:30:29 <sysrqb> err, me force-closing my ssh session :( 19:30:31 <sysrqb> bad network 19:30:43 <sysrqb> sorry 19:30:53 <GeKo> ah :) 19:31:10 <tjr> Something to note: jld (Jed) knows a lot about sandboxing on Linux and I believe will be at our metting. Gian-Carlos (gcp) also knows a lot there but has a conflict and will miss the meeting. So it might be worth finding and chatting with him after the meeting to get some targeted thoughts from him. 19:32:36 <sysrqb> okay, that sounds like a good plan 19:33:48 <sysrqb> for windows, based on the response above, i'm guessing mozilla aren't interesting in prioritising work on removing networking from the content process, correct? 19:34:22 <tjr> Well, I *think* one of the issues was we needed to move audio out... which is either in-progress or done? 19:35:09 <sysrqb> okay 19:35:19 <tjr> After that I don't know what else is left? So I don't have enough information. At a minimum, you could easily get someone to give you a rough idea of how hard it would be and what needs to be done. And if it's not that difficult, they might even be able to give you a POC patch that someone (maybe I, maybe Ethan's team) could try to uplift 19:35:37 <tjr> So it's worth asking about for certain. 19:35:56 <sysrqb> yeah, that's what i was thinking, too 19:36:01 <GeKo> yeah, that sounds good 19:37:03 <GeKo> sysrqb: if we could have a good overview where we are here for all platforms and what next steps would be to get the remaining things tackled 19:37:23 <GeKo> that would help a great deal with allocating someone from the tor browser team to work on those 19:37:27 <sysrqb> if i can get a per-platform break-down of what's remaining (as far as Moz know), and how difficult each item is 19:37:36 <sysrqb> sorry, lag. agreed 19:37:42 <GeKo> :) 19:38:14 <sysrqb> and the sandboxing meeting is on wWed, so that'll give me some time on Weds afternoon and thurs for this 19:38:34 <sysrqb> and Friday 19:40:42 <sysrqb> the windows launcher from https://bugzilla.mozilla.org/show_bug.cgi?id=1481546 seems like it's making progress, as well 19:41:09 <tjr> yes! 19:41:12 <sysrqb> i havent looked at the actual impl yet, though, so i have no idea if it's very useful to us at this point 19:41:18 <tjr> I have hopes that we can abuse that in the future :) 19:41:35 <sysrqb> that would be nice :) 19:42:27 <sysrqb> ok, so i think i have two take-aways from this meeting 19:42:46 <sysrqb> 1) we should evaluate how difficult getting sandboxed tor browser running again 19:43:25 <sysrqb> 2) at the all hands, we should get break-down on what vectors are remaining on each platform, and what ideas exist for closing them 19:43:45 <sysrqb> and then we can evaluate what resources we want to devote to any of them 19:44:19 <GeKo> i think it is pretty clear we should hire someone for the parent process sandbox work 19:44:48 <GeKo> so i would add 3) get together after all-hands to write a proposal for funders to shop around 19:44:51 <sysrqb> yes, that seems like a much larger project 19:45:11 <GeKo> that is probably including results from 1) 19:45:13 <sysrqb> especially because this would not be supported by Mozilla's work at this point 19:45:18 <GeKo> yes 19:45:43 <GeKo> i have some ideas for that proposal 19:46:02 <GeKo> like using the sandboxed tor browser as a stepping stone to think about work on other platforms as well 19:46:35 <GeKo> while on the same time experimenting with it and what it means to get such a thing into a proper "product" 19:46:41 <GeKo> (i hate that word) 19:47:09 <sysrqb> "user-friendly browser" :) 19:47:25 <GeKo> yeah, sounds easy, right? 19:47:44 * tjr pulls down Mythical Man Month 19:47:52 <tjr> How about "a Programming Systems Product"? 19:47:53 <GeKo> exactly 19:48:39 <tjr> i had one or two other things to throw out for discussion 19:48:44 <sysrqb> okay, anyone else have somethign they want to discuss in this meeting? 19:48:52 <sysrqb> ah, aokay, go for it 19:48:53 <tjr> Another thing I will take the opportunity to ask here: there are patches in-progress or stalled at Mozilla for security features. They tend to be hung up because of performance or (more rarely) 'I don't like this, we should refactor it'. They probably wouldn't last past an ESR rebase. Would there be interest in me trying to land those in Tor Browser? 19:48:53 <tjr> (Actually it occurs to me both the ones I'm thinking of is in jemalloc which is disabled on Windows :( ) 19:49:41 <GeKo> yes, please :) 19:49:51 <tjr> ok :) 19:49:52 <tjr> And in addition to this, there's also Fuzzyfox. The next step for that I think is more people to use it and enable it on Nightly and see if seems usable. (I want to do some performance testing myself, just haven't found time.) 19:49:56 <GeKo> fwiw what's the jeamalloc situation? 19:50:27 <tjr> Ummmm I think the next step was for me to re-debug because my results were inconsistent last time and ask dmajor for feedback 19:50:50 <tjr> But it was so painful debugging it, and i had mingw-clang so close with it's beautiful debugging that i just.... kinda.... worked on other stuff 19:50:56 <GeKo> does the issue go away if we switched to mingw-w64/clang? 19:50:59 <tjr> Yes 19:51:16 <GeKo> okay, then don't spend time on that one i think 19:51:41 <tjr> kk 19:51:49 <GeKo> we would probably ship jeamalloc support in alphas first anyway 19:52:01 <GeKo> and plan to switch to mingw-w64/clang there soon (TM) 19:52:36 <GeKo> but, yes, fuzzyfox would be neat as well 19:52:49 <GeKo> but i suspect that's a largish patch 19:52:55 <sysrqb> that "just" need a backport? 19:53:00 <tjr> It's not that big a backport actually 19:53:05 <GeKo> yeah, "just" 19:53:31 <tjr> the larger effort would definetly be a) performance and acceptance testing and b) determining what ecurity margin is approximately equivalent to tor's current one 19:53:50 <tjr> Although (b) might just be "Hey David, what should we make this?" 19:53:58 <GeKo> sounds like somethiing we could our alphas use fr 19:54:01 <GeKo> *for 19:54:13 <GeKo> maybe even on some plaforms first 19:54:34 <GeKo> tjr: i guess you could file a trac bug for that? 19:54:46 <tjr> sure 19:54:48 <GeKo> and we do the work there and discuss how to deploy it? 19:55:13 <tjr> will work on these next week! 19:55:22 <GeKo> awesome! 19:56:24 <sysrqb> anyone have anything else? 19:56:39 <GeKo> i am fine and excited 19:56:45 <sysrqb> with 2 min remaining :) 19:57:00 <tjr> call it. thanks everyone! 19:57:10 <sysrqb> thanks tjr, GeKo, mcs 19:57:32 * sysrqb is excited too 19:58:11 <GeKo> #endmeeting